Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen! Please help!!


  • This topic is locked This topic is locked
14 replies to this topic

#1 beack08

beack08

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 09:54 AM

Hi,

I have been helped with the "HijackThis" section for help with malware found on my system.

I was recommended now to come here to possibly found a solution.

To see that post:
INFECTED - with trojan or more?

The only other possiblitity apparently is to reformat and reload your computer.

Which as you can imagine is not something I'd like to do!!!!

Please help!

Edited by beack08, 26 June 2009 - 09:55 AM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:57 PM

Posted 26 June 2009 - 10:14 AM

Do you have any information from the BSOD that you can post on here to help us help you with it possibly?

Thanks,
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 12:17 PM

ok I am not very knowledgable with all this... so bare with me.
I understand that the error should list a driver with a .sys in the file name.
How can I found out the name? what do I do for that?


Just before the system crach I was told:


--------------------------------------
Hi beack08,

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\95382hazktool59a.exe
c:\windows\z079backdoor5729.bin
c:\windows\system32\256czteal859.bin
c:\windows\359fsp9ware3z5.dll
c:\windows\system32\51959teaz23165.exe
c:\windows\system32\669cspywzre3565.dll
c:\windows\3z41d5wnloader24409.bin
c:\windows\system32\460z9pywa5e387.dll
c:\windows\system32\z6217t95j1d7.dll
c:\windows\748zpam9ot525.dll
c:\windows\system32\188spar9ez554.exe
c:\windows\79eevzr5539.bin
c:\windows\system32\395a9ir1450z.exe
c:\windows\11095wor57ez.dll
c:\windows\system32\26724v5rusz439.dll
c:\windows\system32\3957downloaderz231.dll
c:\windows\15726spz179.exe
c:\windows\system32\zc47spy9are1517.bin
c:\windows\25d1bzckdo5r9616.bin
c:\windows\17995iruz14f.bin
c:\windows\system32\20e9addwzre5662.bin
c:\windows\system32\3917spy5are1999z.bin
c:\windows\system32\29609s5y50ez.exe
c:\windows\system32\5799zparse1827.exe
c:\windows\1752zhi9f1155.bin
c:\windows\zd595hief299.exe
c:\windows\46a695arse62z.bin
c:\windows\6951do5nload9z536.dll
c:\windows\system32\2e9cs5arsz526.exe
c:\windows\3dz5spars59159.dll
c:\windows\system32\16809n9t-a-v5rus77bz.bin
c:\windows\1cf3zddw5re19509.dll
c:\windows\system32\1917z5oj6b6.exe
c:\windows\system32\6e45vzr4219.dll
c:\windows\20575spambot696z.bin
c:\windows\system32\30115v5rus59z.dll
c:\windows\system32\5142downloade9251z.exe
c:\windows\1930spars5z527.bin
c:\windows\system32\242z9v5rus192.bin
c:\windows\system32\57377tr9j6d6z.exe
c:\windows\system32\4247not-a95irus4bz.exe
c:\windows\549z5hre9t559.dll
c:\windows\system32\5bd3b5ckdzor28559.exe
c:\windows\z815troj5339.dll
c:\windows\130dthi5f1219z.dll
c:\windows\system32\1e7bz5yware9116.dll
c:\windows\system32\52063wo9m27z.bin
c:\windows\4501h9ckt5oz7b9.bin
c:\windows\system32\3e08backdoo590z4.bin
c:\windows\7936sp95z5.exe
c:\windows\system32\569tzoj129.exe
c:\windows\51599spz470.bin
c:\windows\system32\zfff5hreat26439.bin
c:\windows\system32\58fez5wnl9ader1167.bin
c:\windows\25695s9zmbot649.dll
c:\windows\system32\310a59zef541.bin
c:\windows\system32\411a5aczdoor3095.exe
c:\windows\6a25tzal2189.exe
c:\windows\system32\16783vi5us5z9.bin
c:\windows\system32\311139i5uzd9.bin
c:\windows\5541spazbo96c.dll
c:\windows\system32\1195ot-a-viru9777z.exe
c:\windows\381espar5e990z.dll
c:\windows\2918zteal3175.exe
c:\windows\1563down9oaderz174.bin
c:\windows\system32\59879troz3859.exe
c:\windows\9c6addware5z89.dll
c:\windows\12335n5t-a-virus9z3.exe
c:\windows\583bad9waz5684.bin
c:\windows\11z63spy3955.dll
c:\windows\12008s5yz98.dll
c:\windows\system32\55919py58az.bin
c:\windows\5935tzoj17d9.exe
c:\windows\7e9aste5l12z5.exe
c:\windows\system32\27449not5z-v9rus648.exe
c:\windows\90511nzt-a-virus77a.exe
c:\windows\794esparse572z.dll
c:\windows\43z9sparse5313.bin
c:\windows\29ze5hreat99691.dll
c:\windows\7z985ack9oor1218.exe
c:\windows\9831spy4z05.dll
c:\windows\5392steal18z0.exe
c:\windows\system32\19fc5pywarez86.bin
c:\windows\system32\29902n9t-5zvirus11c.bin
c:\windows\system32\10209zirus509.dll
c:\windows\5zedsparse1993.bin
c:\windows\73d895dwarz1589.exe
c:\windows\system32\25e5addwa9ez70.exe
c:\windows\715cz9eal506.bin
c:\windows\system32\5951not-azvirus3d59.bin
c:\windows\system32\9aczspyware5630.dll
c:\windows\6248s9yzare529.exe
c:\windows\6z539roj1ea.bin
c:\windows\5b5ez9r2664.dll
c:\windows\6bb0dow9lzader2245.exe
c:\windows\5308z9cktoolc6.bin
c:\windows\system32\localspl.dll
c:\windows\2z118v95us6db.exe
c:\windows\7415downl9adzr984.exe
c:\windows\system32\7e11stezl5934.exe
c:\windows\20170szam9o534a.exe
c:\windows\system32\57czthre9t52500.dll
c:\windows\54az9ddwar52824.bin
c:\windows\28229tr5z64e.exe
c:\windows\system32\125z0spambot98b5.dll
c:\windows\247z2sp5519.dll
c:\windows\system32\32791tzoj52b5.bin
c:\windows\19d3thzef955.bin
c:\windows\29806not5a-virus5z2.bin
c:\windows\98z5hie91935.bin
c:\windows\system32\win32k.sys
c:\windows\system32\z374sp91e85.exe
c:\windows\system32\7b585z91607.dll
c:\windows\system32\284zbac9door995.exe
c:\windows\25913spambot595z.bin
c:\windows\7bdet5rzat25139.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\58896hacktzol6f5.exe
c:\windows\system32\2169zwo5m5c7.bin
c:\windows\system32\ezsidmv.dat
c:\windows\2239znot-a-v5rus35f.exe
c:\windows\4z59py55.dll
c:\windows\11684ha9ktool5z.bin
c:\windows\14779h5cktoo9z.dll
c:\windows\5a8cth5ef9z7.dll
c:\windows\system32\3568threa58z99.bin
c:\windows\65bdownz5ader989.exe
c:\windows\system32\58d8szyware25359.exe

Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

------------------------------



The only .sys listed up there is c:\windows\system32\win32k.sys.
Could this be the one???
SifuMike, the person helping me, maybe didn't think about that. he just told me that it's a wild card to guess what .sys is caucing the problem.

#4 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 26 June 2009 - 12:28 PM

Are you aware that your HJT log thread is still open ?

http://www.bleepingcomputer.com/forums/ind...=233570&hl=

I do not see on that thread your HJT Helper ask you to start a new topic..so you ought really continue on that thread . :thumbsup:

#5 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 12:33 PM

well the post that told me to come to you as been deleted and more steps have been given :thumbsup:

So I am not sure what happenned. I posted my message here following instruction of SifuMike.

#6 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 26 June 2009 - 12:47 PM

I have asked the Staff to check this out for you ; you may wish to return TO the HJT thread and stay on that one to avoid any confusion :thumbsup:

#7 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 12:58 PM

I was just told again to come back here :thumbsup:


Here the message:

Hi,

QUOTE
When typing cd erdnt\subs
I get: - the system connaot find the file or directory specified.
So the I tried batch erdnt.con
I still get: - the system connaot find the file or directory specified.
I then typed exit and it retarted and again same blue screen.

If it cant find the files then that means a backup was not made before it crashed.

QUOTE
In the steps you gave me prior to the systeme crashiug the only .sys listed was

c:\windows\system32\win32k.sys.
Could this be the one?

Yes, that may be the one.

It looks like you my have to reformat and reload your computer. Read here for instructions how to format and reinstall Windows:
http://web.mit.edu/ist/products/winxp/adva...all-format.html


Since this is drastic step and the last resort, I suggest you to go our Windows experts at the Windows XP Home and Professional forum. Perhaps they can suggest a better solution.

Let them know that you have been to this forum and that malware was found and removed. IMHO, a driver is causing your problem.

When posting to any other forum, do not post a HijackThis log or DDS log, or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the Windows techs can analyze the issue and make any recommendations for resolving it.



--------------------

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!




Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 26 June 2009 - 12:59 PM

SIFUMIKE has request them to post elswhere...

It looks like you my have to reformat and reload your computer. Read here for instructions how to format and reinstall Windows:
http://web.mit.edu/ist/products/winxp/adva...all-format.html


Since this is drastic step and the last resort, I suggest you to go our Windows experts at the Windows XP Home and Professional forum. Perhaps they can suggest a better solution.

Let them know that you have been to this forum and that malware was found and removed. IMHO, a driver is causing your problem.

When posting to any other forum, do not post a HijackThis log or DDS log, or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the Windows techs can analyze the issue and make any recommendations for resolving it.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 01:06 PM

SIFUMIKE has request them to post elswhere...



boopme: I don't understand what you mean. I am in the right place, right?

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:57 PM

Posted 26 June 2009 - 01:14 PM

You might try the following procedures, Help Diagnosing BSODs And Crashes (BC) - http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/

The system files...such as win32K.sys...are not necessarily the problem, just the point where the problem disconcerts XP. If you follow the procedures above, that may provide more data that can be used to try to help you.

FWIW: Anytime you get a BSOD error message...you should write it down, in entirely. The message is Windows trying to tell users what is wrong and/or where whatever went wrong occurred.

Does your system boot into XP at this moment?

Louis

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 26 June 2009 - 01:17 PM

Yes you belong here beack08 :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 01:20 PM

Hi Louis,

No right now it doesn't load either in safe mode or last known config. I get the same blue screen with message:

--------
STOP: c000021a {Fatal System Error}
The session Manager Initialization system process terminated unexpectedly with a status of 0xc000026c (0x000000000 0x00000000)
The syetem has been shutdown

---------

So I can't follow the steps you recommend as i can get windows to load.

Edited by beack08, 26 June 2009 - 01:21 PM.


#13 beack08

beack08
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 26 June 2009 - 02:49 PM

With the help of SifuMike I was able to fix the issue I was having.

Could you please close this tread?

We are so sorry for causing them unnecessary work.

Thank you again so much for your support.

#14 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:57 PM

Posted 26 June 2009 - 03:16 PM

Soooo...how did you "fix" whatever was wrong?

Louis

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 26 June 2009 - 03:22 PM

Look here Louis from post 31...

Thanks all ...I am closing this thread..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users